Snapdrive for Unix
La versione in lingua italiana fornita proviene da una traduzione automatica. Per eventuali incoerenze, fare riferimento alla versione in lingua inglese.

Creazione di un certificato firmato dalla CA

Collaboratori

Il servizio daemon SnapDrive per UNIX richiede la generazione di un certificato firmato da CA per la comunicazione daemon. È necessario fornire il certificato firmato dalla CA nel percorso specificato in snapdrive.conf file.

  • Devi essere connesso come utente root.

  • È necessario impostare i seguenti parametri in snapdrive.conf File per utilizzare HTTPS per la comunicazione:

    • use-https-to-sdu-daemon=on

    • contact-https-port-sdu-daemon=4095

    • sdu-daemon-certificate-path=/opt/NetApp/snapdrive/snapdrive.pem

Fasi
  1. Generare una nuova chiave privata RSA non crittografata in un formato pem:

    $ openssl genrsa -out privkey.pem 1024

    Generating RSA private key, 1024 bit long modulus
     ....................++++++ ....................................++++++
    e is 65537 (0x10001)
  2. Configurare /etc/ssl/openssl.cnf Per creare la chiave privata della CA e il certificato vi /etc/ssl/openssl.cnf.

  3. Creare un certificato senza firma utilizzando la chiave privata RSA:

    $ openssl req -new -x509 -key privkey.pem -out cert.pem

    You are about to be asked to enter information that will be
    incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or
    a DN.
    There are quite a few fields but you can leave some blank For some
    fields there will be a default value, If you enter '.', the field
    will be left blank.
    -----
    Country Name (2 letter code) [XX]:NY
    State or Province Name (full name) []:Nebraska Locality Name (eg,
    city) [Default City]:Omaha Organization Name (eg, company) [Default
    Company Ltd]:abc.com Organizational Unit Name (eg, section) []:
    Common Name (eg, your name or your server's hostname) []:localhost
    Email Address []:abc@example.org
  4. Utilizzare la chiave privata e il certificato per creare una CSR:

    cat cert.pem privkey.pem | openssl x509 -x509toreq -signkey privkey.pem -out certreq.csr

    Getting request Private Key Generating certificate request
  5. Firmare il certificato con la chiave privata della CA utilizzando la CSR appena creata:

    $ openssl ca -in certreq.csr -out newcert.pem

    Using configuration from /etc/pki/tls/openssl.cnf Check that the
    request matches the signature Signature ok Certificate Details:
             Serial Number: 4096 (0x1000)
             Validity
                Not Before: May 17 06:02:51 2015 GMT
                 Not After : May 16 06:02:51 2016 GMT
                 Subject:
                 countryName               = NY
                 stateOrProvinceName       = Nebraska
                 organizationName          = abc.com
                 commonName                = localhost
                 emailAddress              = abc@example.org
                 X509v3 extensions:
                 X509v3 Basic Constraints:
                     CA:FALSE
                 X509v3 Key Usage:
                     Digital Signature, Non Repudiation, Key Encipherment
                 Netscape Comment:
                     OpenSSL Generated Certificate
                 X509v3 Subject Key Identifier:
                     FB:B0:F6:A0:9B:F2:C2:BC:50:BF:45:B2:9D:DB:AA:3B:C5:07:5B:7F
                 X509v3 Authority Key Identifier:
    
     keyid:FB:B0:F6:A0:9B:F2:C2:BC:50:BF:45:B2:9D:DB:AA:3B:C5:07:5B:7F
    
     Certificate is to be certified until May 16 06:02:51 2016 GMT (365
     days) Sign the certificate? [y/n]:y
    
    
     1 out of 1 certificate requests certified, commit? [y/n]y Write out
     database with 1 new entries Data Base Updated
  6. Installare il certificato firmato e la chiave privata che devono essere utilizzati da un server SSL.

    The newcert.pem is the certificate signed by your local CA that you can then use in an
    ssl server:
    ( openssl x509 -in newcert.pem; cat privkey.pem ) > server.pem
    ln -s server.pem `openssl x509 -hash -noout -in server.pem`.0 # dot-zero
    ( server.pem refers to location of https server certificate)